diff --git a/doc/manual/installation.xml b/doc/manual/installation.xml index cb94dbbe..c9bb0291 100644 --- a/doc/manual/installation.xml +++ b/doc/manual/installation.xml @@ -272,6 +272,62 @@ server { +
+ Using LDAP as authentication backend (optional) + + Instead of using Hydra's built-in user management you can optionally use LDAP to manage roles and users. + + + + The hydra-server accepts the environment + variable HYDRA_LDAP_CONFIG. The value of + the variable should point to a valid YAML file containing the + Catalyst LDAP configuration. The format of the configuration + file is describe in the + + Catalyst::Authentication::Store::LDAP documentation. + An example is given below. + + + + Roles can be assigned to users based on their LDAP group membership + (use_roles: 1 in the below example). + For a user to have the role admin assigned to them + they should be in the group hydra_admin. In general + any LDAP group of the form hydra_some_role + (notice the hydra_ prefix) will work. + + + +credential: + class: Password + password_field: password + password_type: self_check +store: + class: LDAP + ldap_server: localhost + ldap_server_options.timeout: 30 + binddn: "cn=root,dc=example" + bindpw: notapassword + start_tls: 0 + start_tls_options + verify: none + user_basedn: "ou=users,dc=example" + user_filter: "(&(objectClass=inetOrgPerson)(cn=%s))" + user_scope: one + user_field: cn + user_search_options: + deref: always + use_roles: 1 + role_basedn: "ou=groups,dc=example" + role_filter: "(&(objectClass=groupOfNames)(member=%s))" + role_scope: one + role_field: cn + role_value: dn + role_search_options: + deref: always + +